Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Krishna Dagli writes to mention findings by the company Trend Micro on the extent of bot infection in U.S. Government computers. The article by Information Week indicates that, while the 'original' findings were much harsher, the security vendor has since backed down from some of its claims. Still, the extent to which information-stealing software has penetrated our national infrastructure is enough to take note. From the article: "While it may be tempting to discount the warnings of security vendors as self serving--bot fever means more business for Trend Micro--there's unanimity about the growing risk of cybercrime. In its list of the top 10 computer security developments to watch for in 2007, released last week, the SANS Institute warns that targeted attacks will become more prevalent, particularly against government agencies. 'Targeted cyber attacks by nation states against U.S. government systems over the past three years have been enormously successful, demonstrating the failure of federal cyber security activities,' SANS director of research Alan Paller says in an e-mail. 'Other antagonistic nations and terrorist groups, aware of the vulnerabilities, will radically expand the number of attacks.'"

don't you wish the Internet was more like a dump truck, you could just wash it down w/ a good stream of water when it got to dirty.
the the Series of tubes that is what the Internet is made up of needs a very special pipe cleaner called, firing the person using the Gov box to surf in site that have bots for adverts. and then to top it all you need to get a filter to catch all the pubic hairs(bots),that come off while computing w/o pants on.
that damn series of tubes. so hard to maintain

- we have a new excuse for legalising illegal wiretapping and making it mandatory for Americans' PCs to spy on their owners! Because if we don't, those strangely elusive terrorists will have won. Again.

Wouldn't it be fitting if TM discovers, after its review of those 6TB of data, that the majority of bots are operating from within their own network, and from within those of their peers in the security industry. It would be a fitting irony.

But they would never 'discover' that, because they can't sell themselves or their peers security software.
A more newsworthy headline, even aside from the fact that 'Extent of Government Computers Infected by Bots Uncertain' really has no relevant meaning at all and anyone who paid to get a report with that title should demand a refund, would be if a security software company audited someone's machines and reached the conclusion that no, you do not need to buy anything from us.

Insert the standard grumbling about government mismanagement and IT provided by the lowest bidder, but this is really extra sad. If people like me can keep bots off our grandmothers' computers for the low, low price of a smile, a hug, and some melted sweets which date back to the Carter administration, why can't the people who built the damn Internet manage?

"No generalization is worth a damn, including this one." - Oliver Wendell Holmes.Neither is yours.

I work for a Federal agency (see my post below) and we have a large number of skilled IT workers (some as contractors, some as Feds) that diligently keep our network up, running, as as safe as several million dollars a year can manage.

For your (and the parent poster's) information, it is not as easy to manage millions of computers spread over the entire globe and keep them as safe as your granny's PC. If you t

I think you need a reality check.The US government is a large, diverse entity with over a million people working for it in places all over the world. It takes a lot of money to make it work, and as with any government, that money has to be coerced out of the population by law; You don't pay for services, mostly, as you would from, say, your local air conditioning service company.

In a lot of ways, I agree that many of the people, especially in Congress, fit your characterization, as do a few government man

For your (and the parent poster's) information, it is not as easy to manage millions of computers spread over the entire globe and keep them as safe as your granny's PC. If you think it is, then you need to find another profession.

If it isn't easy then you shouldn't do it. Seriously. If *you* find it hard to to manage millions of computers, then you shouldn't be managing millions of computers. Nobody should. No one person should be directly managing more than a few hundred or thousand computers at most

I can see you don't know much about your own government, if you are American.What part of "large" and "diverse" don't you understand? The US Government is comprised of a number of cabinet level Departments, each of which is separately managed and funded. That means nobody is managing more than you said. Some Departments even are sub-divided, such as the DOD, making it even less centrally managed. Don't put words in my mouth.

What I said wasn't a complaint, it was a statement of fact. It meant that the

Interesting and true (sorry, no mod points right now).As someone who has worked for a government agency before, I can vouch for how cash-strapped these places really are. Money goes to wages and health care and very little is left for other things. Granted, the USA Government should do a better job, but given the amount of red-tape involved in contracting the IT dept (clearances, call-out times, safety assurances) it is a wonder the PCs work at all.It would be great if we could all go into the government w

The people that built the damn internet don't manage the systems any more. Take a gander at OMB Circular A76 (for those that don't know and don't care to llok it up, it's a directive from the Office of Mangagment of Budget that directs agencies to contract out for their help). Bid out all your IT administration to the low bidder and see what happens. Right now if the agency I work for buys me a new Dell, the IT contractors may get around to configuring and installing it for me within six months. It's ob

As someone who has worked in government IT, I can tell you that the biggest problem that we faced security-wise was the bureaucracy of the government. Want to hire a consultant, buy a piece of security software? Then you have to go through the long and arduous procurement process (forget any nimbleness or adapatability). Want to fire someone who is incompetant? Forget it (firing anyone is a HUGE pain in the ass, especially in the federal system). What you end up with in government IT (and, hence cyber-security) is often a bunch of guys used to doing the same thing every day; never learning anything new; who have grown burned-out, disenchanted, and cynical with the whole process.

The biggest problem is that people mention 'goverment computers' with this huge blanket statement. Goverment agencies are not connected to each other (except by the internet) and they are all run differently, with different policies and safeguards. Different sites might not even be connected in the same organization.
There may be vulnerabilities in certain areas but they aren't necessarily systemic.

I know it's always fashionable to bash Windows here on/., but stories like this really do beg the question of why the government is not seriously looking at a more secure operating platform. In particular, while Linux is not perfect, it would be much less likely to fall prey to the ills that are epidemic on Windows without much, if any, added cost post transition. I suppose someone will have to die before getting off of Windows is seriously considered, if even then.

Do you know what govt agencies have to go through to approve an upgrade from Word 2000 wo XP? And you want them to change a whole OS? hahahahah! Nottice I said "approve". They can buy the stuff all day long, but can't install it without jumping through 1000 hoops.:)

In particular, while Linux is not perfect, it would be much less likely to fall prey to the ills that are epidemic on Windows without much, if any, added cost post transition.

I am not convinced that OSS is really all that more secure than closed-source software. Not saying Windows is not vulnerable (otherwise we wouldn't be having this discussion), but let's be realistic here. The cheif advantage to OSS is the peer-review process, but in a large company like MS, peer review is probably mandatory as well

I think the real reason that you see so many security vulnerabilities is because you have experts (not just script kiddies, but blackhat experts) trying to break into Windows on a daily basis.

That may be an aggravating factor, but it's definitely not the main problem. Windows' biggest problem isn't just that it's proprietary software -- it's that it just plain sucks even within the realm of proprietary software. It's the one platform where

I don't entirely disagree with enharmonix's point about Windows being a more widely used target, but a large percentage of all webpage servers already do run Linux and already exist in large enough numbers. I do not work in the computer field, so I don't know how Apache webpage servers running on Linux compare to Windows IIS webpage servers, but why aren't there any Linux viruses or worms designed for them. I use Linux on my computer at home and it is still almost unheard of for a Linux computer to get in

The main (but certainly not only) reason Linux is so secure is that people just don't bother exploiting it.

That's not true. Linux has a significant market share for servers (%30, I believe). It is hard to exploit.

The reason Linux/BSD/OS X is more secure than Windows is because security was a larger factor in its design. It is very difficult to secure a huge software product that wasn't designed to be as secure in the first place.

The problem is, the employees will not be able to use it. To us, using one operating system or another isn't really a big deal, but to your average office worker, it's a huge shift.I have seen users struggle to use XP after learning windows 2000. To the average computer person, there is no learning curve, but to these users, it's completely different.Now, try and do the same thing with an operating system that is truly different...

Because they typically will not pay enough for competent IT staff and admins.Government IT jobs are some of the lowest paying and have the absolutely lowest job satisfaction. Government does not want idea people, they want people that will do what they are told without question.

I know, I was there. Started my career as a Government IT employee. Hated it badly, and could not stand the supervisor that knew nothing about IT yet constantly micromanaged us, even telling us to do things that are insane-wrong t

Just recently a report was made about how govt workers are wasting time on the internet, shopping, chatting, my space, and porn.....Gee, I wonder how those bots got in the system? They didn't just cruize in and take up residence. THEY WERE INVITED!

Now if an limitation were installed that would not allow a luser to click OK, that would prevent that from occuring. However on the other hand call center tickets would double and luser satisfaction would decline if they were not allowed to install useless screens

Spying/eavesdropping/wiretapping? That's just the Patriot Act, come on. You guys made it legal yourselves, and now you're complaining when others do it back to you? Maybe I'm concerned about terrorists running this country, so I should be able to eavesdrop on all government communications. That's the same fantastic excuse you guys use, fair is fair.

I hate to complain, but in certain places isn't just 1 hijacked machine considered to be, too many? If that 1 hijack is on a machine connected to personnel files, military files, or population files then the data that could be stoeln could be huge. I cn imagine someone who has purchased a million or so hijacked machines would try to use some interesting tools on every machine just to see if 1 or 2 of them show good secure government data.

I used to work both as a consultant, and an LTE for a department of a state government. I did software development, all of our Network resources were managed by the Department of Administration (DOA, appropriately enough). DOA may have started out as a good idea, one centralized agency that maintained licensing, contracts, support, purchasing, etc... But cutbacks led to them continuously cutting pay and positions. By the time I left, the only representatives from the DOA that I knew of were two LTE college students, and one former manager who took a demotion to a tech position to stay employed (which just happened to bump one of the last skilled technicians out of the department).

Anyways, under their watch we had numerous security breaches. One of our servers was hosting a child porn collection and IRC channel. Another server had been crippled by viruses, and we had seen other signs of intrusion time after time. The child porn server was confiscated by the FBI when they tracked it down. They returned the server to the DOA when they had finished so that the DOA could learn from the breach and correct the security issue, but there was no one employed with the DOA who could identify the failure or what to do about it.

Anyways, my rough guess is that given what I've seen of state networks, I would think they are heavily botnetted. The other side of the public sector though, atleast the Marine Corps network, is a pretty impressive setup. I've seen those guys in action and I would be extremely suprised if there is a lick of traffic that escapes their pipes with out their express knowledge.

The unclassified side of military networks can be just as scary as any other government IT network. I can't speak directly about the Marines, but I remember Code Red hitting the Army networks connected to NIPRNET real hard, compromising thousands of machines and generally making life difficult for those of us on the same connections.It's like any other organization though - there's areas that are run exceedingly well, and areas that aren't. It's hard to generalize about anything as large and complex as go

There were a few notables I saw while I was active duty in the Marine Corps as a 4067 (Computer Programmer). My first experience with the MITNOC was in Okinawa, Japan. One of the network/pc techs had put up a geocities page that had references to UNC paths inside the network. It worked great for him because he could go to any PC on any of the bases and get to all of the tools/software/installs he needed for most of his work. The links were only worth a damn if you could get into the network though. Unfortunately someone else (I believe it may have been 'Hackers for Girls') also discovered the links. The same weekend in 1998 that CNN was disrupted, the MITNOT (Located in Quantico, VA) noticed a huge flood of attacks on the Oki network. With in a few hours, the MITNOC had the website taken down, a mirror image of the PC tech's hard drive, his browsing history for the last 3 months (printed and digital), and 3 Marines on a plan to Japan.

Another notable environment I saw was one of the Office buildings in Quantico, VA. Each new building for the most part had it's own network design team that would configure the building prior to people moving in, and they would design and configure everything. Once the regular staff showed up, the design team would hand off control of the network to the local IT department. The guys at the Marsh Center had this down to a science. When I left Quantico, the only thing those networks would get out of their chairs for was to clear a printer jam or replace failed hardware. Everything else was locked down, automated, network pushed, and other whys control remotely. A truly beautiful environment for both the IT support team, and us developers.

If an Agency is willing to spend the money, time and energy to put in place the protections that the typical Government information system deserves, this wouldn't be a problem.

My agency uses a multi layered defense to protect us against these issues. There are network level protections, PC level protections and desk-side support level protections. We also regularly send out warnings about current threats as well as require personnel to undergo annual IT security awareness training.

Individual PCs that are found to be broadcasting unknown signals to unknown or unverifiable outside destinations are removed from the network and reimaged immediately.

If, from a complaint to the help line, we find that a PC is infected with spyware, we don't even try to remove it; it is immediately reimaged.

We have instituted a locked down desktop policy; users are NOT allowed admin access except through application to a special committee for good business cases, based upon the use of special software that requires such access to run. We bend over backwards to alter those situations to avoid that access whenever possible.

Laptops are imaged using an image that is encrypted using a good encryption program that encrypts the entire hard drive using a 512 bit key, and NO laptops are allowed to be bought without going through our recieving process where that image is installed.

We have spent millions of dollars of your tax money in the last five years bringing this system online, but now that we have, we believe that we have as safe a system that we can get without just unplugging it or spending twice as much.

We don't have classified material, but we do have information that is confidential by law and must be protected from public release. (proprietary information belonging to firms we regulate.) This limits the measures we need to use, since classified material requires a completely different level of protection.

If the VA had used a system like ours, they would never have been embarrassed by the recent theft. The theft may still have occurred, but the information would never have been at risk.

It is not a perfect system, and it takes constant dilligence to maintain and periodically upgrade, but I think we do a pretty good job.

If you work for the Feds you know how the different Departments have differing tasks, goals and operational environments. I'm sure that your employees wouldn't like their SSAN's and other personal information open for all the world to see!

Uh, what do you exactly mean by "trojan"? Our department isn't disguising itself as something it isn't, like a trojan is usually defined. We are integral to the FDA being able to do its job without outside interferance with IT operations.I work for the FDA - the Food and Drug Administration, and we are part of the HHS.

If you work for anybody but yourself, you are spending someone else's money, so what? I like that, too, especially when they have more than I do (which isn't hard...).

"Our department isn't disguising itself as something it isn't, like a trojan is usually defined"

The story goes that a war was fought by the Achaeans against the city of TROY for ten years. They built a Wooden Horse and hid in it until the trojans brought it into the city. Ergo trojan task refers to any Herculaen task.

"Cute little poem, but what relavance has it to my post?"

It's something similar to a quote from, I think, Grace Hopper [wikipedia.org] regarding braking codes in WW2. Now that was a real trojan task

Sorry, didn't relate the work 'trojan" with what is usually described with the (also) Greek name-derived word "herculean", which, I think is more often used to mean a large, difficult task. Usually the trojan war is refered to in modern literature as being related to the deceptive manner of the Greek entry into Troy, as in "Beware of Greeks bearing gifts".

I'd never heard of the poem, I'll look it up and read it, if that was just a snippit.

That's true, but people at our level don't have anything to do with either the coersion or the allocation of that money, now do we? I won't feel bad about that, after all, at least some of that money was mine! You ARE aware that Federal employees pay income taxes, too?

Does YOUR employer take money from your paycheck and then pay you with the resulting funds? Mine does!

Laptops are imaged using an image that is encrypted using a good encryption program that encrypts the entire hard drive using a 512 bit key, and NO laptops are allowed to be bought without going through our recieving process where that image is installed.

I was just wondering, how do you do that? Where is the key saved? Is the user required to type in a 512 bit key every time they start?

If it's saved in hardware, something along the trusted computing stuff, I can understand it. But how many laptops have that

The key is, of course, part of the software that encrypts the hard drive, and yes, is based upon the password. Our agency forces the use of long passwords, from 8 - 16 characters, mandating the use of capital letters, lower case letters, and numbers.Yes, the user has to type the PW, after all, if it's stored, then it's accessable, isn't it?

Of course the security depends on the PW - it always does, unless one is using biometrics, and that has its own problems.

Ok, a few points.8 character passwords are in the realm of today's private sector computers. And if you think people will sit at the prompt, well.. think again:pAn attacker would make a backup of the disc, find the encryption used, and start cracking.

even a separate boot disk cannot even recognize the HD as being a bootable disk; it looks like an unformatted drive.

Well, thats how encrypted data should look like. But the machine will need to be able to read it, and for that it needs some software. Which mea

Ok, explain to me why he'd need a BACKUP of the disk - he's got the laptop, he's got the disk - the back up does what for him?"Well, thats how encrypted data should look like. But the machine will need to be able to read it, and for that it needs some software."

Yeah, that would be something called Pointsec. Give it the right password, get in. Works real well. Forces a reboot after every third wrong password.

Just what other software would you use to do your little attack that can duplicate a 512 bit key?

If you've been listening to the post-911 Bushisms you should know that you are NEVER safe, remember? We're on CODE ORAGE right now in fact, you should be running around screaming because there's a terrorist RIGHT BEHIND YOU, AAAAAAH!!!! http://www.dhs.gov/dhspublic/display?theme=29 [dhs.gov]

I think we should be less concerned about the use of government computers in botnets and more concerned about securing personal information. If the government created and enforced security guidelines for all of their equipment, botnets would not exist AND our information would be secure. I never understood why the government gave the NSA tons of money to develop SELinux and then not deploy that software to other government agencies. I know that government employees currently need Windows-only software, b

Being that many of my young friends work in the government including in the House and Senate (not as Pages *ducks*), I know they aren't using their heads when computing. They spend about 6 hours a day on a computer probably looking at $_favorite_porn_site . Those computers are almost guaranteed to be infected.

To one Congressional Office's credit (Cliff Stearns), they actually had iMacs setup. I guess that's one step in the right direction.

These problems are endemic to the Windows universe, yet the headline and summary give no clue. Obviously the ignorant market needs more help to make the connection between Windows and unnecessary risk.

If it had been a Linux problem, the headline would have shouted it. Let's give Windows headline credit for its main features: Insecurity and wasted time and money.

Obviously the ignorant market needs more help to make the connection between Windows and unnecessary risk.

No, the ingorant market needs to make the connection between incompetent or overworked system admins and unnecessary risk. Now, Windows may be *harder* to protect than, say Linux, but in the hands of incompetent (or grossly overworked) system admins, neither system is safe.

Hackers operating through Chinese Internet servers have launched a debilitating attack on the computer system of a sensitive Commerce Department bureau, forcing it to replace hundreds of workstations and block employees from regular use of the Internet for more than a month, Commerce officials said yesterday.

The attack targeted the computers of the Bureau of Industry and Security, which is responsible for controlling U.S. exports of commodities, software and technology having both commercial and military uses. The bureau has stepped up its activity in regulating trade with China in recent years as the United States increased its exports of such dual-use items to the growing Chinese market.

The Goverment has too much infrastrucutre to just change their operating systems, and far too many potential compromises in the form of hundreds of thousands of employees (millions?). To ask them to make the sweeping and drastic changes to all their agencies wouldnt be a monumental task, it would be a near impossible one.
Instead, just pull the plug. That is the internet one. Seriously, completely remove all the agencies from the Web, firewall them down to ZERO access to non-goverment networks.
In each of

Another possibility might be to install a KVM switch on each computer so that the government employee could switch back and forth between a computer that is connected to the Internet and one that isn't. At one time I had a KVM switch between my new computer and my old computer. The KVM switch allowed me to switch back and forth between the two computers in about two seconds. A KVM (keyboad-video-mouse) switch allows the use of one keyboard, video and mouse to control more than one computer. One of the c

Government machines have the distinction of being extremely insecure. There are lots of reasons, government requirements to contract out to "8A" corporations being one of them. "8A" corporations are small companies that the goverment has to sling a percentage of work to when contact time comes up. Oftentimes these are inexperienced folks who don't even know what a DOS prompt is.

We had a recurring nightmare scenario in the Army of someone successfully infilitrating our machines with "byte crack" (think Ho

As it appears that Trend Micro can't spot a forged FROM: header. They're having to "reanalyse" their data after it turned out they were wrong. The upshot is that this is a non-story, but an interesting one. The correct reading of it is that a security vendor has been caught out doing what we all suspect they do all the time anyway: spinnign research to make their IO-bound bloatware look useful.

Five years of George "The Genius" Bush protecting us. Revamped all our security into "Homeland Security", reorganized all our intelligence systems, got a Republican Congress to do whatever he wanted. Now we're starting to see how rampant insecurity has rotted his huge government from the inside.Feel safer?

Vote to fire or keep your Representative on TUE November 7, 2006 (one month from tomorrow). Odds are you'll have the choice to fire one of your Senators. Reformatting the White House will probably take ano

You know...I have your typical ADSL line, 6 megabit down, 700kbps up. Here is what I see pounding on my firewall (BSD type firewall) almost every day... Hitting port 1026 like a mad hatter. port 1026 is generally used for those nasty windows messenger (the service, not the IM software) SPAM popups. Funny, right? Perhaps it is really the DOD trying to use windows messenger popup spam to brain wash me, but I highly doubt it, My mind is not worth the effort!!!
OrgName: DoD Network Information Center
O

And that's why it generally fails against any kind of sophisticated online attack, no matter what form this attack takes. It's the same for huge companies, btw. Vast amounts of money, the ability to hire every and any brain available to counter the attack, but the time it takes 'til they get into gear usually means that by the time the attacker is long gone and untracable, they are finally done with the budget for it.That's where organized crime is having the upper hand: Speed. When you're in the defensive

Hey, if any of the people running these bot nets is reading this, can you get in touch with me? I'd like to get the aggregated personal tax return information for the past thirty years or so, so I can do a fact-based analysis of shifts in wealth distribution. Thanks in advance.

not one organization at the state or local level took any action when the Department of Homeland Security(DHS) put out a warning against using MS Internet Explorer when a major risk was found and left open by Microsoft for over 3 months. Heck, three departments in my city were shutdown for a day when one of the Microsoft Windows bot software was 'failing' and resulted in some of the infected computers to constantly reboot. Yet, after that, questions presented about continued use of MS IE resulted in answers

The solution is a 'virus' that installs Firefox and Thunderbird, replacing every reference of IE and OE with said programs, then downloading and running Spybot S&D/Adware as well as an antivirus program.